Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Apr 2003 06:10:38 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Robin Ericsson <lobbin@localhost.nu>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: input on ipfw rules
Message-ID:  <20030406031038.GB4130@gothmog.gr>
In-Reply-To: <008d01c2fbac$86dcf710$0401a8c0@metis>
References:  <008d01c2fbac$86dcf710$0401a8c0@metis>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-04-05 21:49, Robin Ericsson <lobbin@localhost.nu> wrote:
>
> I would like to get some input of these rules I'm currenly using.
>

> I come from a linux/cisco background, so I want to know how bad these
> are :) mostly my questions are the keep-state stuff. I guess 00235 can
> go, as I think that one allows all trafic from that specific ip if
> already connected elsewhere?

True.

> ipfw add 00230 check-state
> ipfw add 00235 allow tcp from any to any in established

You don't need both of these...  The 'established' one can safely go
away if you make it a habbit of writing rules with 'keep-state' as shown
below:

> # ssh
> ipfw add 00700 allow tcp from any to me 22 keep-state

- Giorgos



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030406031038.GB4130>